Google is changing the methods it uses to flag sites as suspicious or dangerous. The changes will flag sites that are not necessarily malicious but may not be under the control of the owner (such as sites with spam or links from phishers).

Thousands of websites have been compromised by a worm that defaces websites and installs malicious code that attacks website visitors. The worm has been on a rampage and reportedly infected 188% more sites within a week. Gumblar has compromised a number of high profile websites including Tennis.com, Variety.com and Coldwellbanker.com.

Microsoft Ireland was defaced by "Terrorist Crew." Hackers successfully compromised the microsoft.ie domain which redirects users to Microsoft.com/Ireland. The page that performs the redirection wasn't hosted by Microsoft but rather by a third party.

Most large websites are partially hosted by third parties; this makes monitoring extremely difficult for most existing security technologies (such as IDSes and firewalls) since they need to be installed in front of the web servers. Therefore, installation gets expensive since another device must be purchased and the third party must agree to installing in front of the website. Few companies are willing to pay for this and most hosting providers wouldn't allow it anyways.

Bob Sullivan at MSNBC posted a blog entry indicating the things that will go wrong in 2009 in technology; he specifically lists malicious website defacements as one of them and sites the recent MyCheckFree.com defacement as an example. Below are excerpts:

"If you're wondering what computer headaches you should expect in 2009, the Checkfree attack should be high on your list, says Amit Klein, a domain name system expert at The Trusteer Security Research Group. He compared the attack to a phishing attack on steroids, and said it will probably keep security professionals up late at night. None of their fancy security tools can ward off complete interception of traffic headed to a Web site."

"There are new reasons not to trust the Web sites you visit. Getting a virus by clicking on an infected attachment is now passé; if your computer gets sick next year, it will probably be because you visited a booby-trapped Web site."

"some legitimate web sites were maliciously modified to include the exploits. For example a popular search engine in Taiwan was found to be hosting the exploit. Luckily, that site was quickly cleaned. Secondly, we’ve noticed some pornography sites have started hosting these exploits too: We recently found a web site in Hong Kong that serves various content including adult entertainment."

"Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability."

0.2% is a staggering number given how many people use the Internet and how recently the exploit surfaced. This points out precisely the reason hackers choose to deface websites maliciously; few other methods can distribute an exploit that quickly and effectively.

The website for the embassy of Brazil in India has been compromised and contains links to fake anti-virus software. This isn't the first time an embassy was compromised, consider the following embassy compromises:

The website for the Barack Obama campaign is being used to direct users to sites containing malware according to a ZDnet report. Attackers uploaded an GIF to the community blog section of the website that links to the servers hosting the malware. Users' who search Google for "obama trojan anti-virus" are lead to the page with the GIF. Upon clicking, the user is sent to the malicious server.

Researchers have discovered PDF exploit packs, much like the web exploit packs such as IcePack. This means that PDF exploits are likely to increase. The biggest target will probably continue to be email users who aren't used to treating PDFs as dangerous. However, websites are at risk too since many sites allow PDFs to be uploaded by users.

A number of Olympic news sites have been compromised and are being used as malware distribution points. Attackers appear to have exploited a SQL injection vulnerability in order to modify pages; their modifications try to force websites visitors into downloading malicious code and joining a botnet.

An [SC Magazine article covering the defacement] (http://www.scmagazineus.com/Olympic-champion-Phelps-website-defaced-in-Turkish-hack/article/115773/) indicates that the attackers likely found a vulnerability that "enabled them access to the underlying directory, or through some attack means such as cross-site scripting." However, cross-site scripting is highly unlikely to have been the cause nor "access to the underlying directory" which implies that the attackers gained access to the file-system. Most likely, a SQL injection vulnerability is at fault and the malicious content was stored in the database (as opposed to on the file-system directly). The "Ask Michael" portion of the site was removed following the attack, thus, it is logical to conclude that this was vector that the attackers used since that portion of the site would have performed SQL queries.

Note that NSIA currently detects these types of defacements with the Compromise.HackerSignature definitions.

Attackers have found a way to hijack the clipboard using Flash. The attack simply causes the clipboard's paste function to always contain a malicious URL. The attackers hope that users would either click the links or send the malicious links in emails. Security Researcher Aviv Raff has posted a harmless demo of the attack(Note that your anti-virus client may block the Flash file).

The attackers get others' websites to host the malicious code for them by submitting malicious Flash ads to advertising companies.

Update [Sep 27th 2008, 08:06 p.m. CST]:

Adobe has announced that it plans on requiring user approval before accessing the clipboard in a future version of Flash. This will likely work similarly to the way Flash asks the user whether or not it can access the web-cam or microphone:

Update [Oct 30th 2008, 05:09 a.m. CST]:

Adobe has released an update to Flash that is intended to address the clipboard vulnerability as well as the click-jacking vulnerability.

Newsweek.com was reportedly posting malicious advertisements. The advertisements try to trick users into purchasing anti-virus software by indicating that the user's PC is overrun with viruses.

SC Magazine noted that the attackers used Fuse in an attempt to evade detection. However, one must note there is nothing wrong with Fuse and it is not a malicious tool. It is simply a library for creating animations. The validation techniques used by the advertisers are more at fault than the Fuse developers.

Another mass defacement is underway. This particular defacement leaves behind malicious scripts that attack website users. As of August 8th, about 4,000 sites have been impacted. The attacks are underway so additional sites will likely be impacted.

NSIA currently detects this using the cross-domain scripting definition.

Update []:

The number of pages compromised by this attack continues to increase according to the Internet Storm Center. Currently, about 33,000 pages have been impacted. Though this is lot of pages, this is significantly less than other similar attacks. You can view the impacted sites via Google. Obviously, do not view the web pages unless you want to get infected.

Update [Aug 25th 2008, 03:25 a.m. CST]:

A new definition was created (Compromise.Defacement.MassSQLInjection) that will detect this specific SQL injection. Note that this new definition will usually trigger along with the cross domain scripting definition (Baseline.Property.CrossDomainScripting) whenever the attack successfully creates a script tag. However, this new definition will also detect failed attacks (those that do not successfully create a script tag).

The Internet Storm Center noted that many sites that were compromised by the ASPROX worm have not been cleaned up. Reportedly, about 1.5 million sites are still infected. Oftentimes defaced websites are not restored for a long time for any of the following reasons:

Site was cleaned but the vulnerability was not, thus, the website was simply re-infected as soon as it is fixed. This is more common than one might think. Many times the website owners don't know how to identify or fix the vulnerability. In big businesses, the changes may be held up in change control or other red tape.

The website owner no longer actively uses or mantains the site and doesn't know that it is compromised.

The compromised pages are at places that site owners didn't know existed (such as rogue web-servers or deprecated pages).

Note that the ASPROX defaced pages is currently detected by the cross-domain scripting definition.

Update [Aug 25th 2008, 02:57 a.m. CST]:

The ASPROX infections appear to be dropping now. SANS reports that the number of infections has been reduced to about 175,000.